On 8/25/24 17:55, Zé Loff wrote:
On Sun, Aug 25, 2024 at 02:49:03PM -0400, David Colburn wrote:
After a cursory reading, it looks OK. But don't forget to read the
supplied documentation, after installing the package:
less /usr/local/share/doc/pkg-readmes/mariadb-server
Also, most of those steps don't have to do with mariadb, but with simple
system administration. Installing the package, starting and stopping
services, and checking if processes are running and ports are open are
all tasks you should be familiar with.
All good to this point, thanks.
Now I'm reading this in
/usr/local/share/doc/pkg-readmes/mariadb-server
Given that lighttpd runs in chroot am I correct that I need to run the
following
install and then edit /etc/my.cnf for things to play nicely together?
Thanks,
David
--------------------------------------------------------------------------------------------------------------------
chrooted daemons and MariaDB socket
===================================
For external program running under a chroot(8) to be able to access the
MariaDB server without using a network connection, the socket must be
placed inside the chroot.
e.g. httpd(8) or nginx(8): connecting to MariaDB from PHP
---------------------------------------------------------
Create a directory for the MariaDB socket:
# install -d -m 0711 -o _mysql -g _mysql /var/www/var/run/mysql
Adjust /etc/my.cnf to use the socket in the chroot - this
applies to both client and server processes:
[client-server]
socket = /var/www/var/run/mysql/mysql.sock
You have three progressively less restrictive ways of providing access
to your database server:
* A Unix socket:
If all the database consumers will be running locally, you can use a
socket. If any of the consumers will be running chrooted to /var/www,
then you'll need to put the socket in the chroot, as described on the
pkg-readme (and remember not to use the full path when configuring the
chrooted clients).
* TCP, listening on 127.0.0.1:
If all consumers will be running on the same host, and if you don't want
the hassle of setting up the socket -- the tradeoff being having the
socket available for every process that can use inet -- then you can
just configure mariadb to listen on the loopback interface. If you have
"set skip on lo0" on pf.conf (it's there by default), then you won't
need to add anything else to that file.
* TCP, listening on other interfaces:
You'll need this if the database is to be accessible to other hosts.
Using this option might require adjusting your filtering rules on
pf.conf.
You can use any combination of the above methods (socket only, loopback
only, socket+loopback, socket+other interfaces, etc). See the "port",
"socket", "skip-networking" and "bind-address" options on the [mysqld]
section of /etc/my.cnf, and remember to setup the [client] section
accordingly (i.e., if you skip-networking, don't configure the client to
use TCP/IP, and if you don't setup a server socket, don't configure the
client to use it).
And make sure you know what you need, and why, before configuring
things.
Thank you for your reply.
Here's my attempt to assess & describe what I need, and why ...
This will be a self-hosted Web-facing server using the Chamilo-LMS
(learning management system) interface.
All of the users, students and teachers alike, would log into the
Chamilo-LMS host.
All of the data that Chamilo-LMS would serve would be hosted on the same
machine where it resides.
(Note: If I understand, correctly, the preferred best-security practice
is to require
a user of Chamilo-LMS to access any external links by leaving the server -
e.g. a remote user would open a second tab on their machine to open a
non-local
URL, rather than my server passing that content. True?)
As I understand it, Chamilo-LMS is based on PHP and uses MariaDB, but
Lighttpd
is what manages the internal and Web-facing network side of things?
So, database consumers would only communicate with MariaDB via Chamilo-LMS?
Would Chamilo-LMS need a Unix socket to communicate with MariaDB?
And then Lighttpd would use TCP (listening on 127.0.0.1) between the
Chamilo-LMS
consumer login accounts and the world?
Thanks!
